On Tue, Jun 15, 2010 at 6:24 PM, Steven D'Aprano <steve at pearwood.info> wrote:
> A digital signature is not an MD5 checksum, it may have actual legal
> meaning in many countries equivalent to a pen and paper signature.
I would expect that verifying a package was signed by PyPI to mean no more than
that the bits match what's available from PyPI for the same name. (Not sure if
that's what's in the PEP, but that's what I'd be looking for.)
We'd have to disclaim anything more than that. But it would be useful to verify
that a package from a mirror was accurately mirrored.
-Fred
--
Fred L. Drake, Jr. <fdrake at gmail.com>
"Chaos is the score upon which reality is written." --Henry Miller